b"Audit Report\n\n\n\n\n   OIG-07-048\n\n   FOREIGN ASSETS CONTROL: Actions Have Been Taken to\n   Better Ensure Financial Institution Compliance With OFAC\n   Sanction Programs, But Their Effectiveness Cannot Yet Be\n   Determined\n\n   September 20, 2007\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report...............................................................................................        1\n\n    Results in Brief..........................................................................................      2\n\n    Background ..............................................................................................       4\n\n    Findings ...................................................................................................    7\n\n        OFAC Did Not Seek Additional Legislative Authority, But Has Signed an MOU\n        With Regulators to Share Information ..................................................... 7\n\n        New OFAC Compliance Examination Guidelines Could Ensure Consistent\n        Coverage .............................................................................................     10\n\n    Recommendations .....................................................................................          12\n\n    Other Matters Reported by FDIC OIG ...........................................................                 14\n\n\nAppendices\n\n    Appendix 1:           Objective, Scope, and Methodology ......................................                 16\n    Appendix 2:           OFAC Actions Taken in Response to Six of the 2002 Report\xe2\x80\x99s\n                          Recommendations ..............................................................           18\n    Appendix 3:           Management Response .......................................................              19\n    Appendix 4:           Major Contributors to This Report .........................................              24\n    Appendix 5:           Report Distribution..............................................................        25\n\n\nAbbreviations\n\n        FBAs              federal banking agencies\n        FDIC              Federal Deposit Insurance Corporation\n        FFIEC             Federal Financial Institutions Examination Council\n        GAO               Government Accountability Office\n        IRS               Internal Revenue Service\n        MOU               memorandum of understanding\n        NCUA              National Credit Union Administration\n        OCC               Office of the Comptroller of the Currency\n        OFAC              Office of Foreign Assets Control\n\x0cOIG    Office of Inspector General\nOTS    Office of Thrift Supervision\nRFPA   Right to Financial Privacy Act\nSDNs   Specially Designated Nationals and Blocked Persons\nSEC    Securities and Exchange Commission\n\n\n\n\n       FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page ii\n       Financial Institution Compliance With OFAC Sanction Programs, but Their\n       Effectiveness Cannot Yet Be Determined (OIG-07-048)\n\x0c                                                                                          Audit\nOIG\nThe Department of the Treasury\n                                                                                          Report\nOffice of Inspector General\n\n\n\n\n                      September 20, 2007\n\n                      Adam Szubin\n                      Director, Office of Foreign Assets Control\n\n                      This report presents the results of a follow-up audit we conducted\n                      to determine whether the Office of Foreign Assets Control (OFAC)\n                      had taken action to improve its ability to ensure that financial\n                      institutions are complying with OFAC sanctions. In April 2002, we\n                      reported that OFAC was limited in its ability to monitor financial\n                      institution compliance. We recommended at the time that OFAC\n                      inform Congress of legislative impairments which prevent OFAC\n                      from conducting its own examinations of banks or having access to\n                      their financial records.1\n\n                      OFAC administers and enforces economic and trade sanctions\n                      against targeted foreign countries, terrorists, international narcotics\n                      traffickers, and those engaged in activities related to the\n                      proliferation of weapons of mass destruction. Although not\n                      required to have an OFAC compliance program by specific law or\n                      regulation, financial institutions are required to block or reject any\n                      transactions involving targeted individuals, companies, or other\n                      organizations with a link to these entities. OFAC has direct\n                      administrative and enforcement authority over regulated\n                      institutions, but compliance examinations of banks and other\n                      financial institutions are generally conducted by the five federal\n                      banking agencies (FBAs) and other federal financial regulators.2 The\n\n1\n  Treasury Office of Inspector General (OIG), Foreign Assets Control: OFAC\xe2\x80\x99s Ability to Monitor\nFinancial Institution Compliance Is Limited Due to Legislative Impairments, OIG-02-082 (Apr. 26, 2002).\n2\n  The FBAs are, within Treasury, the Office of the Comptroller of the Currency and Office of Thrift\nSupervision, and external to Treasury, the Federal Deposit Insurance Corporation, Board of Governors of\n\n                      FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure           Page 1\n                      Financial Institution Compliance With OFAC Sanction Programs, but Their\n                      Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                       regulators manage their compliance examinations independently\n                       from OFAC.\n\n                       We performed our fieldwork on this follow-up audit from\n                       January 2005 to December 2006. During this period, we also\n                       performed audits at the Office of the Comptroller of the Currency\n                       (OCC) and the Office of Thrift Supervision (OTS) pertaining to their\n                       OFAC compliance examination programs. A description of audit\n                       objective, scope, and methodology is included as appendix 1.\n\n\nResults in Brief\n                       OFAC has not sought legislative change to improve its ability to\n                       ensure financial institutions comply with OFAC sanctions. OFAC\n                       management is satisfied with the current system. Management\n                       believes, as it did in our prior audit, that there is a high degree of\n                       compliance with its sanctions programs based on required blocking\n                       and reject reports filed by financial institutions, the results of\n                       OFAC\xe2\x80\x99s follow-up on those reports, information received by OFAC\n                       outside the system of required reporting, and the examinations of\n                       financial institutions conducted by FBAs.\n\n                       In response to our April 2002 report, OFAC did agree that\n                       (1) regulator information sharing could be improved and\n                       (2) increased oversight and detailed account reviews by regulators\n                       could be beneficial. Since our prior report was issued, two\n                       significant actions have occurred.\n\n                       As the first action, in April 2006 OFAC entered into a\n                       Memorandum of Understanding (MOU) with the FBAs to improve\n                       information sharing so as to mitigate the risk of not being made\n                       aware of financial institution noncompliance issues. Although it is\n                       too early for us to evaluate its effectiveness, the MOU caveats that\n                       FBAs share information with OFAC \xe2\x80\x9cto the extent permitted by\n                       law, including the Right to Financial Privacy Act (RFPA).\xe2\x80\x9d OFAC\n                       had previously indicated that a technical amendment to the RFPA\n                       might be needed and that Treasury was reviewing the possibility of\n\nthe Federal Reserve System, and National Credit Union Administration. Other federal financial regulators\ninclude the Securities and Exchange Commission, Commodity Futures Trading Commission, and Internal\nRevenue Service.\n\n                       FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 2\n                       Financial Institution Compliance With OFAC Sanction Programs, but Their\n                       Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                       such a change. OFAC currently believes that RFPA only minimally\n                       impacts its ability to obtain information from regulators and\n                       financial institutions. Accordingly, no changes to the RFPA have\n                       been made or proposed.\n\n                       As the second action, with regard to regulatory oversight, in\n                       June 2005 the Federal Financial Institutions Examination Council\n                       (FFIEC) 3 issued the Bank Secrecy Act/Anti-Money Laundering\n                       Examination Manual (FFIEC manual). The FFIEC manual provides\n                       comprehensive guidance for the FBAs to follow when conducting\n                       OFAC compliance examinations.4 Based upon audits at OCC and\n                       OTS by our office and audits by the Federal Deposit Insurance\n                       Corporation (FDIC) Office of Inspector General (OIG) and National\n                       Credit Union Administration (NCUA) OIG of their respective\n                       agencies, this guidance was clearly needed. But as a matter that is\n                       not addressed by the FFIEC manual, the four audits also found that\n                       examination documentation did not provide persuasive evidence\n                       that financial institution OFAC compliance programs were\n                       adequate. In response, the four FBAs agreed to improve OFAC\n                       examination documentation going forward.\n\n                       Recognizing that these recent actions need time to mature, we are\n                       recommending that OFAC monitor whether the OFAC-related\n                       examination information the FBAs provide is sufficient to assess\n                       compliance at specific institutions and for the overall banking\n                       industry. If necessary, appropriate action should be taken, such as\n                       seeking modification to the April 2006 MOU or requesting from\n                       Congress an amendment to the RFPA. We also are recommending\n                       that OFAC determine whether MOUs should be established with\n                       other federal financial regulators and self-regulatory organizations5\n                       for sharing information on financial institutions for which they have\n                       OFAC oversight responsibility.\n\n\n3\n  The FFIEC, established under title X of the Financial Institutions Regulatory and Interest Rate Control\nAct of 1978, is a formal interagency body empowered to prescribe uniform principles, standards, and\nreport forms for the examination of financial institutions by the federal bank regulators. The Financial\nServices Regulatory Relief Act of 2006 added a representative state regulator as a full voting member.\n4\n  The FFIEC manual was updated in 2006 and 2007.\n5\n  Self-regulatory organizations are non-government organizations that have statutory responsibility to\nregulate their own members, such as the New York Stock Exchange and National Association of\nSecurities Dealers.\n\n                       FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 3\n                       Financial Institution Compliance With OFAC Sanction Programs, but Their\n                       Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c             Our April 2002 report also included six recommendations to\n             improve other aspects of OFAC sanction program administration.\n             We found that OFAC has taken or is in the process of taking\n             appropriate corrective actions as described in appendix 2.\n\n             In response to our draft report, OFAC reiterated its previously\n             stated position that that the information it obtains from mandatory\n             blocking and reject reports and from other sources, complemented\n             by information shared by the FBAs under the MOU, enable it to\n             adequately assess compliance at specific institutions and for the\n             overall banking industry. According to OFAC, RFPA is a minor\n             hindrance because OFAC has sufficient authority and access to\n             violation and examination information. OFAC, however, will\n             continue to monitor the situation to assure the usefulness of\n             information from financial institution examinations. Regarding\n             information sharing with self-regulatory organizations and the\n             Internal Revenue Service (IRS), OFAC said it shares information\n             with the Securities and Exchange Commission (SEC) and self-\n             regulatory organizations, and is in process of establishing an MOU\n             with IRS. OFAC will monitor the efficiency and effectiveness of the\n             procedures established with SEC and the self regulatory agencies\n             and make adjustments as necessary. OFAC has also signed MOUs\n             with 17 state banking agencies. OFAC\xe2\x80\x99s response is included in\n             this report as appendix 3.\n\n\nBackground\n             OFAC Mission\n\n             The mission of OFAC, an office within the Department of the\n             Treasury\xe2\x80\x99s Office of Terrorism and Financial Intelligence, is to\n             administer and enforce economic and trade sanctions, based on\n             U.S. foreign policy and national security goals, against targeted\n             foreign countries, regimes, terrorists, international narcotics\n             traffickers, and those engaged in activities related to the\n             proliferation of weapons of mass destruction. OFAC acts under\n             presidential wartime and national emergency powers, as well as\n             authority granted by specific legislation, to impose controls on\n             transactions and freeze foreign assets under U.S. jurisdiction.\n\n\n             FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 4\n             Financial Institution Compliance With OFAC Sanction Programs, but Their\n             Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                       Economic sanctions are intended to deprive the target of the use of\n                       its assets and deny the target access to the U.S. financial system\n                       and the benefits of trade, transactions, and services involving U.S.\n                       markets. To prohibit commercial or financial transactions involving\n                       sanctioned countries, entities, or individuals, OFAC primarily relies\n                       on delegations of authority made pursuant to the President\xe2\x80\x99s broad\n                       powers under the Trading With the Enemy Act and the\n                       International Emergency Economic Powers Act. OFAC currently\n                       administers 30 economic sanctions programs pursuant to\n                       presidential and congressional mandates. Though 8 of these\n                       30 programs have been terminated, they still require residual\n                       administrative and enforcement activities.\n\n                       As part of its enforcement efforts, OFAC publishes on its web site\n                       a list of individuals and companies controlled by, or acting on\n                       behalf of, targeted countries. It also lists individuals, groups, and\n                       entities, such as terrorists and narcotics traffickers designated\n                       under programs that are not country-specific. Collectively, such\n                       individuals and companies are called Specially Designated Nationals\n                       and Blocked Persons (SDNs).\n\n                       Financial Institution Responsibilities\n\n                       In order to ensure that a transaction is not processed in violation of\n                       OFAC sanctions, financial institutions by necessity should have\n                       systems to adequately monitor their financial transactions. When a\n                       transaction is found to match an entry on OFAC\xe2\x80\x99s listings, the\n                       transaction must either be blocked or rejected. A blocked\n                       transaction immediately imposes an across-the-board prohibition\n                       against transfers or dealings of any kind regarding the account.6 A\n                       rejected transaction is one that does not contain a blockable\n                       interest,7 but nonetheless cannot be processed without violating\n\n\n6\n  The blocked funds are placed in an interest-bearing account by the financial institution and are not to\nbe released without an official OFAC license authorizing the release of the funds. OFAC does not take\npossession of any funds that are blocked.\n7\n  As an example cited in OFAC literature, the Sudanese Sanctions Regulations prohibit transactions in\nsupport of commercial activities in Sudan. Therefore, a bank would have to reject a funds transfer\nbetween two companies if the transfer involves an export to a company in Sudan even if the companies\nare not SDNs. Because Sudanese Sanctions would only require blocking transactions with the\nGovernment of Sudan or SDNs, there would be no blockable interest in the funds between the two\n\n                       FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 5\n                       Financial Institution Compliance With OFAC Sanction Programs, but Their\n                       Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                       OFAC prohibitions. When a financial institution blocks or rejects a\n                       transaction, the institution is required to file a report with OFAC\n                       within 10 business days.\n\n                       OFAC can impose civil penalties, criminal penalties, or both for\n                       noncompliance with the established sanctions. Civil penalties can\n                       range from $11,000 to $1 million per infraction, and criminal\n                       violations can result in corporate and personal fines of up to\n                       $10 million and imprisonment for up to 30 years.\n\n                       Role of Regulators\n\n                       OFAC generally relies on regulators to ensure that financial\n                       institutions implement appropriate programs to help ensure that the\n                       financials institutions do not process transactions in violations of\n                       OFAC sanctions. OFAC\xe2\x80\x99s access to information held by the FBAs is\n                       restricted under RFPA. Specifically, information obtained by FBAs\n                       involving an account of an individual on the books of a U.S.\n                       financial institution cannot be shared with anyone other than\n                       another financial regulator. In this regard, RFPA does not define\n                       OFAC as a regulator; therefore, this subset of information can only\n                       be shared in redacted form. OFAC can request and receive this\n                       information directly from the financial institution using its own\n                       authorities.\n\n                       GAO Audit\n\n                       In September 2004, the Government Accountability Office (GAO)\n                       issued a report that recommended that Treasury seek legislative\n                       authority, if necessary, to enhance OFAC\xe2\x80\x99s ability to ensure\n                       financial institution compliance with sanctions by allowing\n                       regulators to share complete information from their examinations\n                       with OFAC.8 Treasury responded by maintaining that it was\n                       uncertain whether legislative changes were necessary to enhance\n                       information sharing between OFAC and regulators. Treasury\n                       stressed that it had confidence in the manner and level of\n\n\ncompanies. However, because the transactions would constitute support of Sudanese commercial\nactivity, which is prohibited, the bank can not process the transaction and must reject the transaction.\n8\n  GAO, Foreign Regimes\xe2\x80\x99 Assets: The United States Faces Challenges in Recovering Assets, but Has\nMechanisms That Could Guide Future Efforts, GAO-04-1006 (Sept. 14, 2004).\n\n                       FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 6\n                       Financial Institution Compliance With OFAC Sanction Programs, but Their\n                       Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c            compliance and monitoring that occurred in the current system and\n            stated that comprehensive arrangements would be in place shortly\n            to enhance information sharing between OFAC and regulators.\n\nFindings\n\nFinding 1   OFAC Did Not Seek Additional Legislative Authority, But\n            Has Signed an MOU With Regulators to Share Information\n\n            In our April 2002 report, we recommended that Treasury inform\n            Congress that OFAC lacks sufficient authority to ensure that\n            financial institutions comply with OFAC sanctions requirements.\n            OFAC did not agree that its monitoring efforts were hampered by a\n            lack of legislative authority and asserted, both in response to our\n            earlier report and today, that there is a high degree of financial\n            institution compliance with OFAC sanctions. Although OFAC did\n            not seek legislative change, OFAC management agreed that it\n            could benefit from regulators sharing more information with OFAC.\n            As a means of achieving this end, the five FBAs and OFAC signed\n            an MOU in April 2006 to facilitate the sharing of OFAC-related\n            examination results.\n\n            While it is too early to evaluate the effectiveness of the MOU,\n            OFAC offered several examples of how the MOU has facilitated\n            communication with the FBAs. Even with the MOU in place, RFPA-\n            related restrictions involving accounts of individuals at U.S.\n            financial institutions exist. OFAC believes the restrictions are\n            minimal and do not affect information sharing.\n\n            OFAC Believes its Authority is Sufficient\n\n            In response to our April 2002 report, OFAC asserted that it did not\n            need additional legislative authority to ensure that U.S. financial\n            institutions are complying with OFAC sanctions. OFAC\xe2\x80\x99s position,\n            which has not wavered, is that the overall compliance level is very\n            strong and the monitoring that occurs under the current system is\n            sufficient. In addition, according to OFAC, the banking industry has\n            developed a heightened awareness of OFAC regulations and\n            prohibitions on dealing with targeted entities and extensively uses\n            interdict software to identify illegal transactions. Furthermore,\n\n            FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 7\n            Financial Institution Compliance With OFAC Sanction Programs, but Their\n            Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cOFAC believes that testing of transactions at the tens of thousands\nof financial institutions would duplicate the work of regulators and\nrequire a massive new OFAC bureaucracy, while not having a\nsignificant effect on compliance.\n\nOur April 2002 report did not recommend or suggest that OFAC\nestablish a new bureaucracy to duplicate the work of regulators.\nHowever, we believed then, as we do now, that by relying\nprimarily on third parties to assess financial institutions\xe2\x80\x99 compliance\nwith OFAC requirements, OFAC may be at risk of not knowing of\nnoncompliance issues.\n\nSpecifically, both OFAC and regulators are barred by statute from\nsharing certain information about accounts of individuals at U.S.\nfinancial institutions. To make such information sharing easier,\nOFAC had previously indicated that a technical amendment to the\nRFPA might be needed and that Treasury was reviewing the\npossibility of such a change. OFAC currently believes that the\nRFPA is only minimally restrictive and access to financial institution\ninformation is generally satisfactory. Thus, no changes to the RFPA\nhave been made or proposed.\n\nEffect of MOU on Sharing of OFAC-Related Compliance\nExamination Results Are Not Fully Known\n\nIn April 2006, OFAC and the five FBAs (OCC, OTS, FDIC, Board of\nGovernors of the Federal Reserve System, and NCUA) signed an\nMOU that established procedures for the exchange of certain\ninformation between OFAC and the regulators. The MOU\xe2\x80\x99s purpose\nis to address RFPA-related restrictions that have prevented OFAC\nfrom obtaining OFAC-related examination results from the\nregulators. However, based on the terms of the MOU, the\ninformation exchange may still be restricted by RFPA.\n\nThe FBAs are to notify OFAC promptly of any apparent, unreported\nsanctions violations discovered in the course of an examination. In\naddition, they are to notify OFAC when significant deficiencies are\ndiscovered in a financial institution\xe2\x80\x99s policies, procedures, and\nprocesses for ensuring compliance with OFAC regulations. Finally,\nin cases in which OFAC-related deficiencies have been identified,\nOFAC may make a written request for information relating to the\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 8\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                      examination or the supervisory findings regarding a financial\n                      institution\xe2\x80\x99s policies, procedures, and processes for ensuring OFAC\n                      compliance. The FBAs are to provide the examination information\n                      and other information specified in the MOU to the extent permitted\n                      by law, including the RFPA. Since no change has been made to the\n                      RFPA statute, it is unclear how restrictive this caveat will be.\n                      However, OFAC believes that the caveat will not have a significant\n                      effect on information sharing.\n\n                      Furthermore, because the MOU was recently signed, it is too soon\n                      to assess its effectiveness in improving information sharing\n                      between examiners and OFAC. However, OFAC believes the MOU\n                      has been beneficial. OFAC said FBAs have provided information in\n                      response to OFAC requests or in problematic situations where the\n                      regulator did not have responsibility. In addition, OFAC said it had\n                      requested that they perform examinations where a financial\n                      product appeared risky. We did not verify this information.\n\n                      We believe the restriction on sharing information related to\n                      individual accounts maintained at U.S. financial institutions could\n                      reduce its effectiveness. As mentioned before, the provisions of\n                      the MOU are subject to constraints imposed by RFPA. Although\n                      OFAC believes that RFPA imposes minimal constraints, the MOU\xe2\x80\x99s\n                      effectiveness in improving the sharing of information remains\n                      uncertain and untested at this point. Also, the MOU may be\n                      terminated by OFAC or any of the FBAs with 30 days written\n                      notice.\n\n                      In December 2006, OFAC informed us that it was working with the\n                      Council of State Bank Supervisors to enter into MOUs with state\n                      supervisory agencies. In its September 2007 response to our draft\n                      report, OFAC stated that it now has MOUs with 17 state agencies.\n                      It should be noted that in addition to state-regulated banks, OFAC\n                      requirements impact self-regulatory organizations regulated by SEC\n                      and the Commodity Futures Trading Commission and certain\n                      industries regulated by the IRS.9 Accordingly, OFAC needs to\n                      determine whether MOUs should be established with these\n                      agencies as well.\n\n9\n Industries regulated by the IRS for Bank Secrecy Act and OFAC compliance include casinos, money\nservices businesses, insurance companies, and jewelers.\n\n                      FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 9\n                      Financial Institution Compliance With OFAC Sanction Programs, but Their\n                      Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cFinding 2               New OFAC Compliance Examination Guidelines Could\n                        Ensure Consistent Coverage\n\n                        In an effort to implement uniform Bank Secrecy Act and OFAC\n                        examination procedures among the FBAs, in June 2005 the FFIEC\n                        released the Bank Secrecy Act/Anti-Money Examination Laundering\n                        Manual. 10 OFAC partnered with the FBAs to create the OFAC\n                        examination section of the FFIEC manual.\n\n                        The FFIEC manual states that, as a matter of sound banking\n                        practice and in order to ensure compliance, a bank should establish\n                        and maintain an effective, written OFAC compliance program. The\n                        program should identify high-risk areas, provide for appropriate\n                        internal controls for screening and reporting, establish independent\n                        testing for compliance, designate a bank employee or employees as\n                        responsible for OFAC compliance, and create training programs for\n                        appropriate personnel in all relevant areas of the bank. Part of the\n                        FFIEC guidance prescribes that a fundamental element of a sound\n                        OFAC program is the bank\xe2\x80\x99s assessment of its specific product\n                        lines, customer base, and nature of transactions and identification\n                        of the high-risk areas for OFAC transactions. A bank\xe2\x80\x99s OFAC\n                        program should be commensurate with its respective OFAC risk\n                        profile.\n\n                        According to the FFIEC manual, FBAs are to examine financial\n                        institutions to determine the adequacy of each institution\xe2\x80\x99s OFAC\n                        program and the effectiveness of its risk management program.\n                        Based on the risk determination of the institution under\n                        examination, as well as a review of prior examination reports and\n                        internal audit findings for the institution, the examiners then select\n                        which policies and procedures to verify.\n\n\n\n\n10\n  Among other things, the Bank Secrecy Act, as amended, requires financial institutions to report\ncertain currency transactions and suspicious financial activity to Treasury. Financial institutions are also\nspecifically required to maintain a Bank Secrecy Act compliance program. Treasury\xe2\x80\x99s Financial Crimes\nEnforcement Network, a Treasury bureau under the Office of Terrorism and Financial Intelligence, is the\nadministrator of the Bank Secrecy Act.\n\n                        FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 10\n                        Financial Institution Compliance With OFAC Sanction Programs, but Their\n                        Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                      The FFIEC manual also states that examinations should include\n                      transaction testing.11 However, examiners may generally limit\n                      transaction testing to only those high risk areas identified in the\n                      bank\xe2\x80\x99s risk assessment. For OFAC, depending on assessed risk, the\n                      examiners may choose to use transaction testing to evaluate,\n                      among other things, the bank\xe2\x80\x99s handling of new accounts, controls\n                      over the use of interdict software, handling of blocked\n                      transactions, and/or the resolution of \xe2\x80\x9chits.\xe2\x80\x9d\n\n                      We believe the FFIEC guidance was needed. Prior to the guidance\n                      being issued, each FBA implemented its own examination steps to\n                      assess compliance with OFAC sanctions programs. Transaction\n                      testing was discretionary, and based on our reviews of OCC and\n                      OTS examination workpapers and interviews with examiners, was\n                      a procedure rarely done during examinations.\n\n                      We do have a concern in that the FFIEC manual does not address\n                      how OFAC compliance examinations are to be documented. When\n                      reviewing examinations conducted by OCC and OTS, we found\n                      that the available examination documentation was generally\n                      insufficient for us to determine whether examiners adequately\n                      assessed OFAC program compliance. As a result, we were unable\n                      to provide OFAC with reasonable assurance that the examination\n                      results regarding OFAC compliance were valid and reliable.12 OCC\n                      and OTS officials stated that their procedures did not require the\n                      examiners to fully document results when they found OFAC\n                      compliance programs adequate. In response to our\n                      recommendations, both regulators agreed to better document\n                      examination results going forward.\n\n\n\n11\n   As provided in the FFIEC manual, examiners perform transaction testing to evaluate the adequacy of\nthe bank\xe2\x80\x99s compliance with regulatory requirements, determine the effectiveness of its policies,\nprocedures, and processes, and evaluate suspicious activity monitoring systems. Transaction testing is\nan important factor in forming conclusions about the integrity of the bank\xe2\x80\x99s overall controls and risk\nmanagement processes and must be performed at each examination. The extent of transaction testing\nand activities where it is performed is based on various factors, including the examiner\xe2\x80\x99s judgment of\nrisks, controls, and the adequacy of the independent testing by the bank\xe2\x80\x99s internal audit section.\n 12\n    Treasury OIG, Foreign Assets Control: Assessing OCC\xe2\x80\x99s Examination of OFAC Compliance Was\n Hampered by Limited Documentation, OIG-06-033 (Jul. 31, 2006); and Foreign Assets Control:\n Assessing OTS's Examination of OFAC Compliance Was Hampered by Limited Documentation, OIG-06-\n 044 (Sept. 26, 2006).\n\n                      FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 11\n                      Financial Institution Compliance With OFAC Sanction Programs, but Their\n                      Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                      While our audit work at OCC and OTS covered OFAC examinations\n                      performed before the FFIEC manual was issued, audits by the FDIC\n                      OIG and NCUA OIG covered examinations after the manual was\n                      issued and also found documentation issues. In this regard, FDIC\n                      OIG issued an audit report in December 2006 which found that\n                      FDIC could improve its approach to OFAC compliance by\n                      monitoring and tracking sanction violations, compliance\n                      deficiencies, and enforcement actions. FDIC OIG also cited the\n                      need for better documenting of workpapers for examination\n                      planning and contact with OFAC, completing core exam\n                      procedures, and concluding on the adequacy of the OFAC\n                      compliance programs and interdiction systems. These measures\n                      could assist OFAC and FDIC to address risks associated with OFAC\n                      noncompliance.13 Similarly, the NCUA OIG reported in\n                      December 2006, that its efforts to evaluate and verify examiners\xe2\x80\x99\n                      conclusions regarding OFAC compliance were hampered by a lack\n                      of information.14 The OIG of the Federal Reserve System is also\n                      conducting an audit of OFAC compliance examinations performed\n                      by selected Federal Reserve Banks, but has not yet completed its\n                      work.\n\n\nRecommendations\n                      We recommend that the Director of OFAC do the following:\n\n                          1. Determine whether the OFAC-related examination\n                             information provided by the federal bank regulators under the\n                             April 2006 MOU is sufficient for OFAC to assess compliance\n                             at specific institutions and for the overall banking industry. If\n                             not, action should be taken to modify the MOU or request\n                             from Congress, through appropriate means, an amendment\n                             to the Right to Financial Privacy Act.\n\n                              Management Response\n\n                              OFAC believes that information it obtains from mandatory\n                              blocking and reject reports and from other sources,\n\n13\n   FDIC OIG, FDIC\xe2\x80\x99s Supervision of Financial Institutions\xe2\x80\x99 OFAC Compliance Programs, 07-001 (Dec.\n2006).\n14\n   NCUA OIG, Office of Foreign Assets Control Compliance Review,OIG-06-09 (Dec. 18, 2006).\n\n                      FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 12\n                      Financial Institution Compliance With OFAC Sanction Programs, but Their\n                      Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c        complemented by the information shared by the FBAs under\n        the MOU with OFAC, enables it to adequately assess\n        compliance at specific institutions and for the overall banking\n        industry. According to OFAC, the limitations on information\n        sharing required by the RFPA are minor and do not hinder its\n        ability to administer and enforce its sanctions programs. The\n        regulators and OFAC notify one another of transactions and\n        accounts that appear to involve violations of sanctions\n        regulations and share covered material in redacted form. The\n        regulators inform the banks they regulate about their\n        obligations to contact OFAC directly. Both OFAC and the\n        FBAs have their own authorities to obtain information from\n        financial institutions. Any relevant information which is\n        redacted can be obtained by OFAC directly from banks using\n        its own administrative subpoena authority. OFAC will\n        continue to monitor the situation to assure that the\n        examination process provides useful information in\n        evaluating institutions and their compliance with OFAC\n        regulations.\n\n        OIG Comment\n\n        OFAC\xe2\x80\x99s commitment to monitor this area addresses the\n        intent of our recommendation.\n\n    2. Determine whether MOUs should be established with self-\n       regulatory organizations and the IRS for sharing information\n       on financial institutions for which they have OFAC oversight\n       responsibility.\n\n        Management Response\n\n        Earlier this year, the Under Secretary for the Office of\n        Terrorism and Financial Intelligence delegated authority to\n        the IRS to enable it to examine institutions for compliance\n        with OFAC regulations where it has examination authority\n        for Bank Secrecy Act compliance. An MOU is currently in\n        process to enable greater information sharing between IRS\n        and OFAC. OFAC will monitor the effectiveness of the\n        arrangement and make adjustments as necessary.\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 13\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c                              OFAC now has MOUs with 17 state agencies as well as\n                              with all of the FBAs and a separate MOU with the FDIC\xe2\x80\x99s\n                              Division of Resolutions and Receiverships.\n\n                              According to OFAC, it enjoys an open dialogue and free\n                              exchange of information with SEC and the securities industry\n                              self-regulatory organizations. SEC shares information with\n                              OFAC on an as-needed basis through the use of \xe2\x80\x9cAccess\n                              Letters.\xe2\x80\x9d OFAC said that whenever such letters have been\n                              sent by OFAC based on its dialogue with the SEC, detailed\n                              case information has always been timely forthcoming. OFAC\n                              said it will continue to monitor the efficiency and\n                              effectiveness of these procedures and make adjustments as\n                              necessary.\n\n                              OIG Comment\n\n                              OFAC\xe2\x80\x99s actions, if implemented as described, satisfy the\n                              intent of our recommendation.\n\nOther Matters Reported by FDIC OIG\n                      In its December 2006 report, the FDIC OIG noted, as a matter for\n                      congressional consideration, that a more comprehensive statutory\n                      and regulatory framework exists for ensuring compliance with the\n                      Bank Secrecy Act than for OFAC compliance, although both laws\n                      address national security and law enforcement concerns.15 In this\n                      regard, Executive Order 13224 expanded the scope of U.S.\n                      sanctions against international terrorists and terrorist organizations,\n                      and OFAC\xe2\x80\x99s authority related to such, but there was no statutory\n                      change to recognize OFAC\xe2\x80\x99s expanded authority. Additionally, the\n                      Order did not address the FBAs\xe2\x80\x99 authorities related to OFAC\n                      examination coverage or enforcement. The FDIC OIG report\n                      provides an extensive analysis of this matter.\n\n                      FDIC OIG also noted that our office, in our April 2002 report, and\n                      GAO, in its September 2004 report, concluded that OFAC is limited\n                      in its ability to monitor financial institution compliance with\n\n15\n  FDIC OIG, FDIC\xe2\x80\x99s Supervision of Financial Institutions\xe2\x80\x99 OFAC Compliance Programs, 07-001\n(Dec. 2006).\n\n                      FOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 14\n                      Financial Institution Compliance With OFAC Sanction Programs, but Their\n                      Effectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0csanction requirements and does not have the authority to conduct\nexaminations or proactively monitor financial institutions for\ncompliance. In written comments provided to FDIC OIG, OFAC\ndisagreed that its authority to investigate and conduct compliance\nreviews is impaired.\n\nIncluded in OFAC\xe2\x80\x99s response to our report is its response to the\nFDIC OIG on this matter. See appendix 3.\n\n                                  ******\n\nWe would like to extend our appreciation to OFAC personnel for\nthe cooperation and courtesies extended to our staff during the\nreviews. If you have any questions, please contact me at\n(617) 223-8640, or Stephen Syriala, Audit Manager, at\n(617) 223-8643.\n\n\n/s/\nDonald P. Benson\nDirector\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 15\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nOur objective was to follow up on a 2002 OIG audit report and\nreview current Office of Foreign Assets Control (OFAC) monitoring\nefforts to ensure financial institution compliance with OFAC\nsanctions programs. We interviewed OFAC officials and staff in\nOFAC\xe2\x80\x99s Office of Compliance, Civil Penalties Division, and\nLicensing Division to determine what changes had been made to\nthe program since 2002 and the current status of their efforts.\n\nWe reviewed and confirmed that OFAC had taken action to address\nsix of the eight recommendations from the 2002 OIG audit report\nby developing new policies and procedures or by implementing\nreplacement programs. (See appendix 2 for a summary of the\nrecommendations and OFAC actions.) OFAC did not agree with the\nother two recommendations in the prior report. As a result, we\nfocused on issues related to these two recommendations, which\ninvolved OFAC\xe2\x80\x99s ability to monitor financial institution compliance\nwith OFAC sanction programs.\n\nWe reviewed data reported by the Office of Compliance regarding\nthe number of blocked and rejected financial transactions and the\nidentity of the institutions involved in those transactions. We\nidentified and reviewed OFAC penalty cases and warning letters\nissued.\n\nWe also reviewed the provisions of the April 2006 Memorandum of\nUnderstanding pertaining to the exchange of examination results\nbetween OFAC and the various regulators and the sections of the\nJune 2005 Federal Financial Institutions Examinations Council Bank\nSecrecy Act/Anti-Money Laundering Manual (FFIEC manual) relating\nto OFAC. The FFIEC manual, which provides comprehensive\nguidance for the federal bank regulators to follow when conducting\nOFAC compliance examinations, was updated in 2006.\n\nAs part of our OFAC coverage, we separately audited the coverage\nprovided by the Office of Comptroller of the Currency and Office of\nThrift Supervision examiners in assessing financial institutions\xe2\x80\x99\nOFAC policies and procedures and issued reports on these audits.\nWe also coordinated with the Federal Deposit Insurance\nCorporation OIG, the National Credit Union Administration OIG, and\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 16\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 1\nObjective, Scope, and Methodology\n\n\n\n\nthe Federal Reserve Board OIG when they were planning similar\naudits at their respective agencies.\n\nWe conducted our audit from March 2005 to December 2006. We\nperformed our review in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 17\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 2\nOFAC Actions Taken in Response to Six of the 2002 Report\xe2\x80\x99s Recommendations\n\n\n\n\nOur April 2002 report included six recommendations related to\nOffice of Foreign Assets Control (OFAC) sanction program\nadministration. Specifically, we recommended that OFAC\n\n\xe2\x80\xa2   Establish processing procedures for financial transactions\n    reported.\n\xe2\x80\xa2   Develop a standardized form to be used when reporting blocked\n    and/or rejected transactions.\n\xe2\x80\xa2   Review its Blocked/Rejected Transactions database to identify\n    and remove duplicates.\n\xe2\x80\xa2   Research the feasibility of developing procedures to reconcile\n    the Annual Blocked Property Report to the Blocked/Rejected\n    Transactions database.\n\xe2\x80\xa2   Ensure that the licensing database is updated.\n\xe2\x80\xa2   Adhere to its penalty guidance when establishing accounts\n    receivable.\n\nIn response to the recommendations, OFAC implemented a\nBlocked/Rejected Transactions database and is in the process of\nimplementing a uniform electronic response which banks will use to\nreport such transactions. OFAC adopted new procedures that\nensure that duplicate entries are identified and addressed. OFAC\nalso updated the database throughout the licensing process for\neach record within the new system. With respect to developing\nprocedures to reconcile the Annual Blocked Property Report to the\ndata, OFAC decided that the reconciliation would require far too\nmany resources and there were no material advantages to carrying\nout the reconciliation. We assessed OFAC\xe2\x80\x99S reasons and agree\nwith its decision. Furthermore, we found that OFAC now includes\nall the relevant information in a new form when setting up\naccounts receivable for penalty amounts due the government.\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 18\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 19\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 20\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 21\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 22\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 23\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 4\nMajor Contributors to This Report\n\n\n\n\nStephen Syriala, Audit Manager\nThomas Mason, Auditor-in-Charge\nHorace Bryan, Referencer\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 24\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0cAppendix 5\nReport Distribution\n\n\n\n\nThe Department of the Treasury\n\nUnder Secretary, Office of Terrorism and Financial Intelligence\nAssistant Secretary, Terrorist Financing and Financial Crimes\nOffice of Strategic Planning and Performance Management\nOffice of Accounting and Internal Controls\n\nOffice of Foreign Assets Control\n\nDirector\n\nOffice of Management and Budget\n\nOIG Budget Examiner\n\n\n\n\nFOREIGN ASSETS CONTROL: Actions Have Been Taken to Better Ensure          Page 25\nFinancial Institution Compliance With OFAC Sanction Programs, but Their\nEffectiveness Cannot Yet Be Determined (OIG 07-048)\n\x0c"